Skip to content

Fix security cves#24

Merged
moshemorad merged 2 commits into
masterfrom
fix-security-cves
May 14, 2026
Merged

Fix security cves#24
moshemorad merged 2 commits into
masterfrom
fix-security-cves

Conversation

@moshemorad
Copy link
Copy Markdown

@moshemorad moshemorad commented May 14, 2026

No description provided.

moshemorad and others added 2 commits May 14, 2026 17:15
@moshemorad @claude
FIX: patch CVE-2026-35469
b1e2817 
Bump github.com/moby/spdystream v0.5.0 -> v0.5.1 to fix DoS in SPDY/3
frame parser (CWE-770). Indirect dependency via k8s.io/apimachinery
remotecommand streaming.

Advisory: GHSA-pc3f-x583-g7j2

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@moshemorad @claude
FIX: patch CVE-2026-35206
517a8e2 
Bump helm.sh/helm/v3 v3.19.0 -> v3.20.2 to fix chart-extraction path
traversal via dot-segment names in Chart.yaml (CWE-22).

Required transitive bumps:
- k8s.io/{api,apimachinery,apiserver,cli-runtime,client-go,kubectl,...}
  v0.34.0 -> v0.35.1 (helm 3.20.x dep)
- go directive 1.24.0 -> 1.25.0 (required by helm 3.20.x & k8s v0.35.x)
- toolchain pinned to go1.25.10 (latest stable, matches prior pin pattern)
- Misc indirect deps refreshed by go mod tidy
- github.com/moby/spdystream dropped from build (no longer transitively
  reachable after k8s 0.35 streaming changes), further reinforcing the
  CVE-2026-35469 fix from the previous commit.

Advisory: GHSA-hr2v-4r36-88hr

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@moshemorad moshemorad merged commit 4d563a7 into master May 14, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@naomi-robusta naomi-robusta naomi-robusta approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@moshemorad @naomi-robusta